Maintain Security with Positive ID Checks

Corporate ID badges: everyone has them these days. Most organisations with more than a few tens of people have listened to their security and HR consultants. They've spent money on ID badges. This is great news, of course. However, they're not very much use if people don't check them. I mean really check them, not just a cursory glance. This article explains some of the issues that I've seen as a consultant and gives some ideas to improve the situation in your business.

Corporate ID badges have been in use for many years. In fact, before this took off in the general corporate world, we were all used to seeing ID badges or numbers on Doctors, nurses, policemen and so forth. So none of this should be new.

In the course of my work, I am constantly present in other company buildings. I often get left to my own devices to carry out my work. That's great for me because no-one likes being shoulder surfed. It's also great for my clients because they can get on with their day job while I work for them. Win-win. However, how often do I get checked for ID as I wonder the corridors searching for the bathroom or the coffee machine?

You've got it. Hardly ever.

That's despite me often having a Visitor badge. Actually, it's not always prominently displayed because of something I learned years ago: If you are showing a visitor badge, you might get asked what you're up to. In certain more security concious environments, a visitor badge gets more attention than I want. I just want a coffee, not an escort back to my suddenly embarrassed host. So I stuff it in my pocket and just look like I'm supposed to be there. I rarely get challenged. I just smile my way through doors.

Well, that's wrong for starters, isn't it?

Challenge people who don't have badges

That's easier said than done. In the workplace, it's pretty rare to be challenged because people are naturally scared of making a fool out of themselves. The thinking goes like this: "I don't know who that guy is. He's not got a badge, but if I go and ask him who he is, he'll turn out to be someone really important and I'll look a fool. In front of my supervisor and everyone else in the office. And no-one else is asking. It's really not up to me. It's not like he's walking out with a bunch of laptops is it?"

We're really used to having visitors in offices. We never challenge them because it's common place to have electricians, photo copier people and IT guys in. And it's worse in public organisations like hospitals and schools. This is hard to get over. It's down to education mainly. Organisations need to get their people to be more assertive about this. It needs to come from the top that it's more than OK to ask for ID.

You also need to have a policy for what happens when someone gets challenged and doesn't have acceptable ID. Are visitors allowed to walk the corridors unescorted? If not, what do you do with them when they are discovered? Should they be escorted to their host or to the security desk? Who is responsible for that? What if they won't go quietly? All these questions and more need to be answered up front in a clear policy that everyone has seen.

You need to make sure that visitors know what will happen if they don't wear their badge; they need to know the policy, including where they are and are not allowed to go without their host. You also need to tell your staff when you have contractors in, where they will be going and so on.

Better Badges, Better Holders

Another thing that can be improved are the ID badges themselves. Having been to many, many different sites, I think I've seen just about all variations of badge that there are. There aren't really very many in use. Most ID cards are based on a while plastic card with information printed on it. Perhaps there is a (predictable) logo. Most are held in a plastic badge holder to protect the card and give the user some way to attach it to themselves.

Over the years, I've obtained several different coloured badge holders and a number of coloured lanyards, belt clips and so on. I suspect that these would match up to 90% of corporate standard badge holders.

So, you see someone you don't know with a badge holder that looks right and that has a white plastic card in it. You can't see the writing on the card from a distance, but it looks like it has the company logo on it. Do you challenge them? Based on my experiences, I'd bet that most people in any sizeable company wouldn't bother. In fact, you can probably forget the company logo and just think about any white card - after all, they're always turning around the wrong way, right? In small companies, it's much more likely that the person would be challenged.

Well, that's all wrong again!

You need to challenge this person. Check their ID carefully - and then, if it looks perfect, say hello to your new colleague and escort them to their desk. Then, call their manager using your own phone to check. If you're concerned, keep them in sight until your suspicions are satisfied by someone you do know and trust. There needs to be an corporate atmosphere where this is acceptable. Your colleague should have been warned about this in their induction, so won't mind.

ID's can be improved by careful design and customisation to make (opportunistic) cloning difficult. They should always include: